Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inherited Client moving from MPLS to VPN

    Firewalling
    2
    2
    930
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rickh925
      last edited by

      Hopefully this is the right forum. I've used PFSense for some time with other clients, but not quite at this level. I inherited a client literally from a guy that died.  :'(

      The current configuration is two offices with 20-25 workstations each, ESXi at both locations, Exchange at Location 1. Most workstations are using static IPs although as I am joining them to the Win2k8 domain I am converting them to DHCP. There is an MPLS link between the two locations as shown below. Location 2 routes all traffic through Location 1 then onto the Internet. There are lots of reasons to get away from this and give Internet connectivity to both offices directly. So, they have added BrightHouse 70/5 to both locations and want me to link them together with a VPN/firewall. The new connections are just terminated at the modems at each location so the cart isn't completely in front of the horse.

      I don't really want to change the IP ranges (Location 1 is 10.0.0.0/24 and Location 2 is 10.0.1.0/24). Both locations need to use server resources at the other location. I can summarize them as 10.0.0.0/22 so I do plan to stay with these ranges unless someone has a better solution.

      I can use anything for the site-to-site link but need to also have mobile VPN capability for about 5 users with access to both locations without having to VPN into each Location depending on where they need resources. I think that will be no problem if the mobile user VPNs to Location 1 and needs resources at Location 2 but I need to look into that a little more.

      Anyway, if anyone has any suggestions I'm open. I have an ESXi 5 server at each location with two open NICs that I plan to use for PFSense.

      Rick

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        This should be no problem to implement. I use OpenVPN and a site-to-site link between those 2 subnets is easy. I have 2 main offices like that (plus branches) and put a road warrior OpenVPN server listening at each main office. Users can have the OpenVPN client installed with 2 configs, for connection to either office, so if one is down they can try the other. Give each Road Warrior server a subnet and include that wherever you mention a remote office LAN in the "Remote Networks" box when you setup the OpenVPN link/s. That way Location 2 can have a route to Location 1 LAN and Location 1 Road Warrior subnets, and vice versa.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post